Why is the EU’s General Data Protection Regulation (GDPR) the toughest Data Privacy law in the world?

A friend, who we’ll call B, tells me that in Germany, everyone receives the option to reject cookies on any website they visit. I’ve never been to Germany (or Europe) so I cannot confirm if this is true. Regardless, what I do know is that here, in the US, we do not receive a pop up to reject all cookies, instead, we see the option to limit certain essential cookies. Although, individuals in the US can reject all cookies by adjusting the settings in their web browser, this process adds a layer of work that most people would rather avoid. The reason for this disparity in ‘cookie regulation’ is that European regulations like the GDPR require companies to (1) obtain user consent for non-essential cookies and (2) provide a clear, easy way to refuse them, which typically includes a “Reject All” button on cookie consent banners. The US does not have such overarching regulations.

You see, Europe does not mess around when it comes to their citizens’ privacy. Beginning with the Data Protection Directive (1995) which was created when the internet was in its infancy, the European Union (EU) has consistently sought to create data protection laws that serve as standard to the rest of the world. Today, the EU’s General Data Protection Regulation, created in 2016, is considered the most comprehensive data privacy regulation in the world.

Privacy as a human rights issue:

Before getting into the meat of the GDPR, it is important to know that Privacy is a human right in the European Union. In Europe, the right to privacy was coined in 1950 during the European Convention on Human Rights. It is protected under Article 7 of the Charter of Fundamental Rights of the European Union which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” In addition, Article 8 goes a step further by explicitly guaranteeing the protection of personal data.

Thus, privacy in Europe is a direct, standalone, and enforceable fundamental right, backed by strict regulation. The opposite to this would be a country like the United States where the right to privacy is implied by grand interpretations of the First, Fourth Ninth, and Fourteenth Amendments. Because there is no outright written right to privacy in the US constitution, it is not always easy to prove in the court of law how one has been harmed by privacy encroachment.

Consequently, to account for the absence of a constitutional right to privacy, privacy laws are sectorized and federalised. For example privacy laws are grouped into particular sectors of the economy like the Gramm-Leach-Bliley Act (GLBA) which protects financial information, or the Health Insurance Portability and Accountability Act (HIPAA) that focuses on health care data. In the case of federalisation, there are no omnibus regulations like the GDPR. Instead individual states enact their own privacy laws. For example California, through the California Consumer Privacy Act (CCPA), is the state with the most comprehensive privacy laws in the US.

So…What makes the GDPR so great?

Here are a few provisions that make the GDPR quite comprehensive

1. First the GDPR applies to any companies that process the personal data of EU citizens (residents), regardless of whether the company is EU based or not.
2. Personal data can only be processed for a specific legitimate purpose and this data cannot be stored indefinitely. There must be a specific storage length, identified before collection. (Art. 5 GDPR)
3. The GDPR has a list of specific cases where it can be legal for companies to process the data of EU citizens/residents — anything outside of which would constitute illegal data processing. (Art. 6 GDPR)
4. Data minimization – companies can only collect and process only as much data as absolutely necessary for the purposes specified. (Art. 5 GDPR)
5. Most organizations are required to appoint a Data Protection Officer, an employee charged with overseeing the organization’s GDPR compliance. (Art. 38 GDPR)
6. Companies must adopt internal policies and implement measures which satisfy the principles of data protection by design and data protection by default. (e.g using end to end encryption or two-factor authentication where data is stored) (Recital 78)
7. Non-compliance with the GDPR is very costly: can be up to €20 million or 4% of the companies’ global revenue (whichever is higher). Additionally, EU citizens or residents have the right to seek further compensation for damages. 

These are some general provisions within the GDPR. If you would like to learn more, visit GDPR.eu to find specific laws and regulations about data protection in the European Union. 

Accordingly, because of the GDPR, Europe remains the heavyweight champion of privacy laws. But Europe is not the only player in this ring. With the advancements and deployment of various Artificial Intelligence systems, as well as global AI expansion initiatives, many countries are entering the ring, creating statutory provisions for both privacy and AI regulation. 

So, in that vein, next up we’ll take a trip to Nigeria, where its young privacy framework (launched in 2023) is still finding its footing. We’ll explore how far Nigeria has come and how far it still has to go.